Hi.in our application we use authentication based on client ssl certificate. I've found out that the checking of client cert revocation is not done automatically, if the Crl Distribution Point is present in client certificate. Is it an intention or only not done yet?
The only way how to do revocation checking is to configure SSLCARevocationPath or SSLCARevocationFile.
The world of certificates is full of mess. Crl Distribution Point is not mandatory. So if it is not present, it is the last chance to do checking thorugh SSLCARevocation* vars. So they have their meaning.
I've found a discussion about reloading values of SSLCARevocation* http://markmail.org/message/nrhnyd6dppl25uxj From: Erwann ABALEA (eaba...@xxxxxxxxx) Date: Oct 15, 2008 9:08:30 am List: org.apache.httpd.dev"CRL refreshing should also be taken into account; killing and restarting a webserver every hour or every day because we downloaded a new CRL is not a viable solution in a production environment, and OCSP is not always a good answer (we're not talking about a sub-minute revocation status)."
So my question is. Is the CRL refreshing (reload of CRL files) done in the current Apache versions?
And in the end, what about OCSP - is it supported? Jan. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|